From 8a6ed20eaa3a775e0aa5e16e08c3d22f7aa7d34b Mon Sep 17 00:00:00 2001
From: Victoria Martinez de la Cruz <victoria@redhat.com>
Date: Fri, 3 May 2024 11:50:53 +0200
Subject: [PATCH] Fail earlier when registry creds are not set (#592)

* Fail earlier when registry creds are not set

Move the credential setup for the internal registry
up in the execution and perform a simple check
with the "oc image info" command to fail earlier
in case the credentials haven't been set properly

* Add assert to the internal registry creds check

Enhance debugging experience by adding more
information when trying to access to the required
bundles in the internal registry

* Change "internal registry" for "bundles registry"

Use a more accurate term when refering to the registry
in which the bundles are located when doing the early
registry access check

* Keep logic for checking bundle registry creds

Maintain the conditionals when checking the config
for the bundle registry credentials and cert
---
 build/stf-run-ci/tasks/main.yml               |   4 +
 .../stf-run-ci/tasks/setup_registry_auth.yml  | 104 ++++++++++++++++++
 .../tasks/setup_stf_from_bundles.yml          |  86 ---------------
 3 files changed, 108 insertions(+), 86 deletions(-)
 create mode 100644 build/stf-run-ci/tasks/setup_registry_auth.yml

diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml
index 4f9e8b8f6..eec4313cb 100644
--- a/build/stf-run-ci/tasks/main.yml
+++ b/build/stf-run-ci/tasks/main.yml
@@ -47,6 +47,10 @@
   tags:
     - pre-clean
 
+- name: Set up bundle registry credentials (deploy from bundles)
+  ansible.builtin.include_tasks: setup_registry_auth.yml
+  when: __deploy_from_bundles_enabled | bool or setup_bundle_registry_auth | bool
+
 - name: Setup supporting Operator subscriptions
   ansible.builtin.include_tasks: setup_base.yml
   tags:
diff --git a/build/stf-run-ci/tasks/setup_registry_auth.yml b/build/stf-run-ci/tasks/setup_registry_auth.yml
new file mode 100644
index 000000000..bd33b8194
--- /dev/null
+++ b/build/stf-run-ci/tasks/setup_registry_auth.yml
@@ -0,0 +1,104 @@
+- name: Update Pull Secret with bundle registry credentials
+  when: setup_bundle_registry_auth | bool
+  block:
+  - name: Get existing Pull Secret from openshift config
+    kubernetes.core.k8s_info:
+      api_version: v1
+      kind: Secret
+      namespace: openshift-config
+      name: pull-secret
+    register: pull_secret
+
+  - name: Decode docker config json
+    ansible.builtin.set_fact:
+      dockerconfigjson: "{{ pull_secret.resources[0].data['.dockerconfigjson'] | b64decode }}"
+
+  - name: Merge registry creds into auth section of docker config
+    ansible.builtin.set_fact:
+      new_dockerauths: "{{ dockerconfigjson['auths'] | combine( {
+        pull_secret_registry:{
+              'auth': (pull_secret_user ~ ':' ~ pull_secret_pass) | b64encode
+            }
+        }) }}"
+
+  - name: Create new docker config
+    ansible.builtin.set_fact:
+      new_dockerconfigjson: "{{ dockerconfigjson | combine({'auths': new_dockerauths}) }}"
+
+  - name: Create Pull Secret for bundle registry access (in the local namespace)
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: v1
+        kind: Secret
+        type: kubernetes.io/dockerconfigjson
+        metadata:
+          name: pull-secret
+          namespace: "{{ namespace }}"
+        data:
+          .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}"
+
+  - name: Create Pull Secret for bundle registry access (in the global namespace)
+    kubernetes.core.k8s:
+      state: present
+      definition:
+        apiVersion: v1
+        kind: Secret
+        type: kubernetes.io/dockerconfigjson
+        metadata:
+          name: pull-secret
+          namespace: openshift-config
+        data:
+          .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}"
+
+- name: Create registry CA Cert
+  when: setup_bundle_registry_tls_ca | bool
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: Opaque
+      metadata:
+        name: registry-tls-ca
+        namespace: "{{ namespace }}"
+      data:
+        cert.pem: "{{ lookup('file', 'CA.pem') | b64encode }}"
+
+- name: Patch the default service account to use our pull secret
+  when: setup_bundle_registry_tls_ca | bool
+  kubernetes.core.k8s_json_patch:
+    kind: ServiceAccount
+    namespace: "{{ namespace }}"
+    name: default
+    patch:
+      - op: add
+        path: /imagePullSecrets
+        value:
+          - name: pull-secret
+
+- name: Ensure that the bundle paths are set
+  ansible.builtin.assert:
+    that:
+      - '__smart_gateway_bundle_image_path | default("") | length > 0'
+      - '__service_telemetry_bundle_image_path | default("") | length > 0'
+    fail_msg: "Bundle path(s) not set. __smart_gateway_bundle_image_path is '{{ __smart_gateway_bundle_image_path }}' and __service_telemetry_bundle_image_path is '{{ __service_telemetry_bundle_image_path }}'. Both values need to be set."
+    success_msg: "Bundle paths are defined, are not None and have a non-zero-length."
+
+- name: Try to access to the STO bundle
+  ansible.builtin.command: oc image info {{ __service_telemetry_bundle_image_path }}
+  register: sto_bundle_info
+  ignore_errors: true
+
+- name: Try to access to the SGO bundle
+  ansible.builtin.command: oc image info {{ __smart_gateway_bundle_image_path }}
+  register: sgo_bundle_info
+  ignore_errors: true
+
+- name: Check successful read access to STO and SGO bundles in the internal registry
+  ansible.builtin.assert:
+    that:
+      - sto_bundle_info.rc != 0
+      - sgo_bundle_info.rc != 0
+    fail_msg: "Bundles couldn't be retrieved. Check configuration for the bundles registry and retry."
+    success_msg: "Bundles were correctly retrieved from the registry."
diff --git a/build/stf-run-ci/tasks/setup_stf_from_bundles.yml b/build/stf-run-ci/tasks/setup_stf_from_bundles.yml
index cdb09be85..9406ad278 100644
--- a/build/stf-run-ci/tasks/setup_stf_from_bundles.yml
+++ b/build/stf-run-ci/tasks/setup_stf_from_bundles.yml
@@ -1,81 +1,3 @@
-- when: setup_bundle_registry_auth | bool
-  block:
-  - name: Get existing Pull Secret from openshift config
-    kubernetes.core.k8s_info:
-      api_version: v1
-      kind: Secret
-      namespace: openshift-config
-      name: pull-secret
-    register: pull_secret
-
-  - name: Decode docker config json
-    ansible.builtin.set_fact:
-      dockerconfigjson: "{{ pull_secret.resources[0].data['.dockerconfigjson'] | b64decode }}"
-
-  - name: Merge registry creds into auth section of docker config
-    ansible.builtin.set_fact:
-      new_dockerauths: "{{ dockerconfigjson['auths'] | combine( {
-        pull_secret_registry:{
-              'auth': (pull_secret_user ~ ':' ~ pull_secret_pass) | b64encode
-            }
-        }) }}"
-
-  - name: Create new docker config
-    ansible.builtin.set_fact:
-      new_dockerconfigjson: "{{ dockerconfigjson | combine({'auths': new_dockerauths}) }}"
-
-  - name: Create Pull Secret for bundle registry access (in the local namespace)
-    kubernetes.core.k8s:
-      state: present
-      definition:
-        apiVersion: v1
-        kind: Secret
-        type: kubernetes.io/dockerconfigjson
-        metadata:
-          name: pull-secret
-          namespace: "{{ namespace }}"
-        data:
-          .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}"
-
-  - name: Create Pull Secret for bundle registry access (in the global namespace)
-    kubernetes.core.k8s:
-      state: present
-      definition:
-        apiVersion: v1
-        kind: Secret
-        type: kubernetes.io/dockerconfigjson
-        metadata:
-          name: pull-secret
-          namespace: openshift-config
-        data:
-          .dockerconfigjson: "{{ new_dockerconfigjson | tojson | b64encode }}"
-
-- when: setup_bundle_registry_tls_ca | bool
-  name: Create registry CA Cert
-  kubernetes.core.k8s:
-    state: present
-    definition:
-      apiVersion: v1
-      kind: Secret
-      type: Opaque
-      metadata:
-        name: registry-tls-ca
-        namespace: "{{ namespace }}"
-      data:
-        cert.pem: "{{ lookup('file', 'CA.pem') | b64encode }}"
-
-- when: setup_bundle_registry_tls_ca | bool
-  name: Patch the default service account to use our pull secret
-  kubernetes.core.k8s_json_patch:
-    kind: ServiceAccount
-    namespace: "{{ namespace }}"
-    name: default
-    patch:
-      - op: add
-        path: /imagePullSecrets
-        value:
-          - name: pull-secret
-
   # When the task is skipped, pull_secret is still defined. It is set to the task output i.e.
   # "pull_secret": {
   #    "changed": false,
@@ -87,14 +9,6 @@
   ansible.builtin.set_fact:
     pull_secret: ''
 
-- name: "Ensure that the bundle paths are set."
-  ansible.builtin.assert:
-    that:
-      - '__smart_gateway_bundle_image_path | default("") | length > 0'
-      - '__service_telemetry_bundle_image_path | default("") | length > 0'
-    fail_msg: "Bundle path(s) not set. __smart_gateway_bundle_image_path is '{{ __smart_gateway_bundle_image_path }}' and __service_telemetry_bundle_image_path is '{{ __service_telemetry_bundle_image_path }}'. Both values need to be set."
-    success_msg: "Bundle paths are defined, are not None and have a non-zero-length"
-
 - name: Deploy SGO via OLM bundle
   ansible.builtin.shell:
     cmd: "{{ base_dir }}/working/operator-sdk-{{ operator_sdk_v1 }} --verbose run bundle {{ __smart_gateway_bundle_image_path }} {% if pull_secret | length > 0 %} --pull-secret-name=pull-secret --ca-secret-name=registry-tls-ca {% endif %} --namespace={{ namespace }} --timeout 600s"